Key Takeaways
- The IRS and FTC are enforcement agencies, not partners — when a data breach hits your firm, federal regulators prosecute you for non-compliance; they don’t help you recover.
- The Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule legally classify tax preparers as financial institutions, meaning the same data protection laws that govern banks apply directly to your practice.
- Penalties for non-compliance are severe and practice-ending — fines up to $53,088 per violation, PTIN and EFIN revocation, and criminal misdemeanor charges are all on the table.
- Nine specific, commonly overlooked gaps — from MFA exceptions to data hoarding — are quietly turning small accounting firms into regulatory targets right now.
- Firms that understand these risks early can build real defenses before a breach forces the conversation.
Most small accounting firms think about cybersecurity the same way they think about a fire extinguisher — good to have around, but not something that needs daily attention. That assumption is dangerous, and it’s exactly how the 9 cyber risks small accounting firms face today go unnoticed until it’s too late. When it comes to federal regulators, that oversight can be practice-ending.
The IRS Is an Enforcer, Not a Safety Net
There is a widespread misconception running through the small accounting and tax preparation world: that the IRS, in the event of a cyberattack, will step in as a supportive partner — offering guidance, time, and grace. The opposite is true.
When a data breach occurs at an accounting firm, the IRS and the Federal Trade Commission (FTC) do not primarily view that firm as a victim of crime. They view it as a non-compliant financial institution that failed its legal obligations to protect consumer data. The investigation that follows is not a rescue — it is a prosecution.
This isn’t a fringe interpretation. It is the explicit posture of federal enforcement — and it’s worth noting that the same compliance-isn’t-security gap in HIPAA-covered medical practices plays out almost identically for firms that don’t have a legal or IT team walking them through it. The regulatory framework is detailed, the penalties are severe, and the gap between what small firms think is required and what the law actually demands is where most compliance failures live.
How Federal Law Classifies Your Firm
GLBA and the FTC Safeguards Rule Cover Tax Preparers
The Gramm-Leach-Bliley Act (GLBA) does not limit itself to banks and credit unions. Under the law, any individual or business that prepares tax returns for compensation — CPAs, Enrolled Agents, seasonal preparers, solo practitioners — is classified as a financial institution. That classification brings with it the full weight of the FTC Safeguards Rule, codified at 16 CFR Part 314.
Updated in 2021 and further amended in 2023, the FTC Safeguards Rule requires covered firms to develop, implement, and maintain a written information security program. This isn’t a suggestion — it is a legal mandate with specific, auditable requirements. Alongside it, the IRS enforces its own data protection standards through IRS Publication 4557 (Safeguarding Taxpayer Data) and IRS Publication 5708 (Creating a Written Information Security Plan), which outline security requirements and provide a structured framework for documenting them.
Together, these rules mean that every tax preparer in the country, regardless of firm size, is operating inside a federal compliance structure — whether they know it or not.
What Non-Compliance Actually Costs: Fines, PTIN Suspension, and Felonies
The consequences of non-compliance are not abstract. They are specific, financial, and professionally catastrophic.
- Civil penalties: The FTC adjusts its fines annually for inflation. As of January 2025, the maximum civil penalty reaches up to $53,088 per individual violation. A single breached database containing hundreds of client records can generate millions in theoretical liability.
- EFIN and PTIN revocation: Under Revenue Procedure 2007-40, the IRS can unilaterally suspend or permanently revoke a firm’s Electronic Filing Identification Number (EFIN) and Preparer Tax Identification Number (PTIN), effectively ending the firm’s ability to operate.
- Criminal misdemeanor charges: Under IRC § 7216, knowing or reckless disclosures of taxpayer data are a misdemeanor carrying up to one year imprisonment and a fine of up to $1,000 — rising to a fine of up to $100,000 when the disclosure or use is connected to identity theft.

These aren’t worst-case-scenario outcomes reserved for massive corporations. They are the documented enforcement tools applied to small tax and accounting practices.
Risk 1: The ‘In-Office’ MFA Exception That Doesn’t Exist
Why Skipping MFA Inside the Office Violates 16 CFR § 314.4(c)(5)
Many small firms disable Multi-Factor Authentication (MFA) for staff working inside the physical office. The logic seems reasonable: if someone is already sitting at a desk inside a locked suite, the network itself is the security barrier. This is the perimeter defense model — and the amended FTC Safeguards Rule explicitly eliminates it.
Under 16 CFR § 314.4(c)(5), MFA is required for any individual accessing any information system containing customer information, regardless of physical location or network origin. There is no in-office exception. The only alternative is a written compensating control — formally documented by the firm’s Qualified Individual — that provides equivalent protection. For a small accounting firm, that standard is practically impossible to meet or defend under audit.
The rule effectively mandates a Zero Trust Architecture approach: every access request, from every device, at every location, must be verified independently. Trust is never assumed based on where someone is sitting.
How One Spear-Phishing Email Bypassed a Trusted Network
Consider what happens when this gap meets a real attacker. A regional CPA firm disables MFA for all desktop computers inside its office, relying on firewalls to guard the perimeter. An administrative assistant receives a highly targeted spear-phishing email and unknowingly hands over her credentials. The attacker deploys a malicious payload on her workstation, gaining a persistent foothold on the internal network.
When the attacker then attempts to access the firm’s central tax software portal, the system recognizes the request as coming from a trusted internal IP — and skips the MFA prompt entirely. Thousands of unencrypted 1040s, W-2s, and brokerage statements are quietly exfiltrated before anyone notices.
During the subsequent FTC and IRS joint audit, forensic investigators find the conditional access policy that whitelisted internal IP addresses. The firm is cited for a willful violation of § 314.4(c)(5) and placed under a 20-year third-party compliance audit requirement alongside significant civil penalties. The fix — enforcing MFA universally through Microsoft Entra ID or Okta, migrating to FIDO2-compliant authenticators, and auditing all third-party tax software for MFA support — would have cost a fraction of the penalties imposed. A low-cost MFA and endpoint stack can close most of this gap for a fraction of what a single violation costs.
Risk 2: Boilerplate WISPs That Become Evidence Against You
The FTC Requires a WISP ‘Appropriate to Your Size and Complexity’ — A Generic Template May Not Qualify
A Written Information Security Plan (WISP) is legally required for every tax preparer. Faced with that burden, many small practices download a template from an industry association or pull the IRS Publication 5708 example, type their firm’s name on the title page, and file it away. That approach can be more dangerous than having no WISP at all.
The FTC Safeguards Rule requires an information security program that is appropriate to the size, complexity, and sensitivity of the firm’s data. A generic boilerplate document promising continuous penetration testing, cryptographic encryption across a mapped Data Inventory Ecosystem, and immutable offsite backups — when the firm actually relies on consumer-grade antivirus and a shared local drive — doesn’t protect the firm. It creates documented evidence of negligence.
During an audit, the gap between what the WISP claims and what the firm actually does is treated as a deliberate misrepresentation. Attestation of compliance during annual PTIN renewal carries legal weight. Falsely attesting to a WISP the firm doesn’t actually follow can be treated as perjury by the IRS Office of Professional Responsibility (OPR).
How to Reconcile Your WISP to Reality
The solution isn’t a perfect WISP — it’s an accurate one. Three practical steps close the gap:
- Audit the template line by line. Pull the IRS Publication 5708 framework and verify whether each stated safeguard reflects something the firm actually has in place. If a control doesn’t exist, remove it from the document.
- Build a Data Inventory. The Safeguards Rule requires firms to identify and document every location where Nonpublic Personal Information (NPI) is collected, stored, and transmitted — including email servers, local drives, paper filing cabinets, and cloud platforms. This inventory is the foundation the WISP is built on.
- Document exceptions formally. If the firm lacks an enterprise-grade control, strike it from the WISP and document the reasonable alternative safeguard actually in use. A smaller compensating control honestly documented is far more defensible than a promise the firm can’t keep.
Risk 3: Outdated Password Policies NIST Recommends Against
Why Forced 90-Day Rotations Invite Credential Stuffing
For years, the standard security advice was clear: make passwords complex, rotate them every 60 to 90 days, and enforce special character requirements. NIST Special Publication 800-63B has since formally declared that era over — and explains why those rules actively made things worse.
Forced rotations create predictable behavior. When a staff member is required to change their password every two months, they rarely create something entirely new — they update a base pattern. “TaxSeason2025!” becomes “TaxSeason2026!” The moment that base password appears in a third-party data breach, automated credential stuffing tools can cycle through every predictable variation in seconds.
NIST SP 800-63B explicitly prohibits forced periodic rotations unless there is evidence of a specific compromise. It also removes the old “8-4” complexity rule in favor of length-first policies — recommending a minimum of 15 characters — and mandates active blocklist screening: checking every new password against databases of known-compromised credentials before it is accepted.
The practical fix involves three changes: disable 60/90-day expiration requirements in Active Directory and cloud software; configure authentication systems to require 15-character minimums and encourage multi-word passphrases; and deploy blocklist-screening integrations such as the Have I Been Pwned k-anonymity API or Enzoic to block compromised passwords at the point of creation.
Risk 4: No Written Contracts with Your SaaS Vendors
Shadow AI: When a Junior Staff Member Uploads Client K-1s to a Free Chatbot
During peak tax season, an overwhelmed junior accountant uploads 50 complex client K-1 documents into a popular free AI chatbot to quickly extract and summarize the data. The platform’s terms of service clearly state that uploaded content is retained to train future models. Months later, another user prompts the same tool and receives output containing the original clients’ financial data, social security numbers, and partnership structures verbatim.
This is Shadow AI — the use of unauthorized tools by employees without IT or management oversight — and it is an increasingly common source of regulatory liability for accounting firms. The firm didn’t authorize the upload. But under the FTC Safeguards Rule, that doesn’t remove their responsibility.
What the FTC Requires from Every Vendor Agreement
Under 16 CFR § 314.4(f), transferring NPI to a third-party cloud vendor does not transfer liability. The firm must take reasonable steps to select service providers capable of safeguarding data — and must contractually require them, in writing, to implement those safeguards. That obligation extends to every SaaS platform touching client data, not just the primary tax software.
- Shadow IT audit: Use network monitoring and firewall traffic analysis to identify all unapproved cloud tools staff are actively accessing on firm devices.
- Vendor assessments: Before onboarding any SaaS provider, formally request their SOC 2 Type II report and verify their GLBA compliance posture.
- Contractual safeguards: Ensure all master service agreements (MSAs) with third-party vendors include explicit language prohibiting the retention or secondary use of firm NPI — including for AI model training — and legally binding the vendor to the FTC Safeguards standard.
Risk 5: Assuming Your IT Guy Is Your Qualified Individual
What the FTC Actually Requires from a Designated QI
The 2021 and 2023 amendments to the FTC Safeguards Rule eliminated vague, shared security responsibility. Under 16 CFR § 314.4(a), every covered financial institution must designate a single, specifically named Qualified Individual (QI) — a real person responsible for overseeing, implementing, and enforcing the firm’s entire information security program.
The problem for small firms: most assume their external IT vendor is filling this role. Most IT vendors assume they are not. This gap is invisible until an FTC compliance sweep arrives requesting the name of the firm’s designated QI, the written documentation of that appointment, and the annual written report to the firm’s senior governing body required under § 314.4(i). When the firm turns to the IT vendor for those documents and the vendor points to their break-fix service agreement, the firm has just demonstrated a direct compliance failure.
The QI does not have to be an internal employee — a Virtual Chief Information Security Officer (vCISO) can fill the role. But the designation must be formal, written, and specific, and an internal senior employee must be identified as responsible for directing any external QI vendor. Ultimate legal liability always stays with the firm’s partners.
The ‘5,000 Consumer’ Exemption Only Waives Specific Requirements — Not the Core Rule
Many small practices believe that serving fewer than 5,000 consumers exempts them from the Safeguards Rule. This is a costly misread. The § 314.6 exemption removes four specific requirements: the formal written risk assessment, annual penetration testing, a written Incident Response Plan, and a board-level annual report. It does not waive the obligation to appoint a Qualified Individual or implement the core technical safeguards. Firms operating under this misconception are non-compliant regardless of their client roster size.
Risk 6: Data Hoarding Violates the Secure Disposal Rule
How 20 Years of Stored Returns Turned 1,200 Clients into 8,000 Breach Victims
A mid-sized accounting firm carries an active roster of 1,200 clients. But on a legacy on-premises server sitting in a back closet, there are 8,000 records — former clients, one-time filers, relatives who came in during tax season years ago — dating back to 2005. The server runs outdated software. A threat actor finds a known vulnerability, exfiltrates the entire database, and encrypts the drives.
The firm is now legally required to notify all 8,000 affected individuals, provide credit monitoring, and report to the FTC, the IRS, and multiple state Attorneys General. Of those 8,000 records, approximately 6,800 belong to people the firm hasn’t interacted with in over a decade. The ensuing FTC investigation focuses heavily on those records — because they should have been destroyed years prior.
16 CFR § 314.4(c)(7), the Secure Disposal Rule, requires covered financial institutions to securely dispose of customer information no later than two years after the last customer interaction, unless a specific law requires longer retention or the data remains necessary for legitimate business purposes. Indefinite data retention doesn’t reduce risk — it multiplies the blast radius of any future breach.
The fix involves three operational changes: automating data retention policies in document management systems to purge records beyond legal retention windows; using cryptographic erasure — destroying the encryption key rather than simply deleting files — for digital archives; and maintaining a logged, formal policy for the physical destruction of paper files and decommissioned hardware.
Risk 7: Covering Up a Breach Instead of Reporting It
The FTC’s 30-Day Mandate for 500+ Consumer Breaches — and Why the IRS Expects Immediate Contact
When a breach is discovered, the impulse is to handle it quietly — contain the damage, fix the vulnerability, and move forward without public disclosure. That instinct, under current federal law, constitutes a separate regulatory violation.
Following an amendment effective May 2024, the FTC Safeguards Rule now requires covered financial institutions to notify the FTC within 30 days of discovering a security incident involving the unencrypted information of 500 or more consumers. The notification requirement is triggered by discovery — not by a completed investigation or a confirmed exfiltration.
Separately, the IRS advises tax professionals to contact their local IRS Stakeholder Liaisonimmediately upon discovering a breach. The IRS does not publish a fixed reporting deadline for preparers, but prompt notification allows the IRS to flag affected taxpayer accounts and help prevent fraudulent return processing while the investigation is still underway. Skipping this step doesn’t just delay the IRS response — it hands investigators evidence that the firm prioritized reputation management over consumer protection.
Attempting to conceal a breach — or simply failing to act because no formal Incident Response Plan exists — transforms a cybersecurity failure into a deliberate regulatory violation. The firm isn’t just a victim anymore. It’s a defendant.
Risks 8 & 9: Unencrypted Data and No Incident Response Plan
Risk 8: Transmitting or Storing NPI Without Encryption
The FTC Safeguards Rule requires encryption of all Nonpublic Personal Information both in transit — being sent across a network — and at rest — stored on any device or server. This applies to email attachments containing tax documents, files stored on local hard drives, data sitting in cloud platforms, and information held on USB drives or portable devices.
Many small firms rely on standard email to send completed returns, use unencrypted local drives for client file storage, or haven’t configured their cloud platforms’ native encryption settings. Each of these represents a direct compliance gap — and a straightforward path for an attacker to access readable client data. Encrypted data that is exfiltrated is far less damaging than unencrypted data, both for the clients affected and for the firm’s legal exposure during a breach investigation.
Risk 9: No Documented Incident Response Plan Under § 314.4(h)
16 CFR § 314.4(h) requires covered financial institutions maintaining information on 5,000 or more consumers to establish a written Incident Response Plan (IRP) outlining procedures for responding to a security event. Firms below that threshold are exempt from this specific provision under § 314.6, though maintaining an IRP remains strongly advisable regardless of size. For firms that are covered, this is not a best practice — it is a legal requirement with an auditable deliverable.
A compliant IRP needs to address: how the firm detects and classifies a security incident; who is responsible for internal response decisions; the specific notification pathways for FTC reporting (30-day window), prompt IRS Stakeholder Liaison contact, and applicable state breach notification laws; how affected clients will be informed; and how the firm will document its response for regulatory review. (Firms maintaining information on fewer than 5,000 consumers are not required to maintain this written plan under § 314.6, though doing so is still recommended.)
Without a documented plan, firms don’t just fumble the response — they demonstrate to investigators that no preparation was ever made. In an enforcement context, the absence of an IRP is treated as evidence of systemic non-compliance, not simply an oversight. Building one before a breach is the only time the work actually protects the firm.
You’ve just read all nine gaps. Before you move on, it’s worth finding out how many of them apply to your firm specifically — not in theory, but right now, today. The checklist below takes less than a minute. Check only what’s actually true, not what’s on your to-do list.
However your assessment came back, the boxes you left unchecked are your starting list — not a reason to panic. Every firm that’s fully compliant today started with a version of this same checklist. TechEd Shield builds step-by-step guidance for small firms working through exactly these gaps, without needing an in-house legal or IT team to translate the regulation into action.
Your Next Breach Is a Regulatory Case — Build Your Defenses Now
These nine risks share a common thread: none of them are exotic or technically complex. They are gaps between what firms assume is acceptable and what federal law actually requires. MFA disabled inside the office. A WISP that was never customized. Password policies that push staff toward predictable behavior. Client data retained for two decades because no one built a process to purge it.
Each of these gaps is fixable — often without significant cost or deep technical expertise. But they require honest self-assessment, accurate documentation, and a willingness to measure the firm’s actual practices against the specific regulatory standards that govern them. Firms that do this work proactively find that compliance is manageable. Firms that don’t tend to discover the full weight of the requirements during an FTC investigation — at which point the cost of remediation multiplies many times over.
The IRS will not arrive as a partner when a breach happens. The FTC will not offer grace periods for firms that simply didn’t know the rules applied to them. The regulatory framework treats tax preparers as financial institutions — and holds them to that standard, regardless of their size.
Small accounting firms looking for clear, practical guidance on closing these gaps — without needing a legal team or an IT department — can start with our free cybersecurity health check, built to help small businesses understand and act on cybersecurity requirements in plain language..



